Are we talking “cyber war” like the Bush admin talked WMDs?

A new policy paper suggests that the current discussion about impending "cyber …

Turn any corner in the complex metropolis that is Internet policy and you'll hear about the "cybersecurity" crisis in two nanoseconds. As a consequence, the public is treated to a regular diet of draconian fare coming from Sixty Minutes and Fresh Air about the "growing cyberwar threat."

Former National Security Adviser Richard A. Clarke suggests a thought exercise in his hit bookCyber War: imagine you are the assistant to the president for Homeland Security. The National Security Agency has just sent a critical alert to your BlackBerry: "Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure."

As you get to your HQ, one of the DoD's main networks has already crashed; computer system failures have caused huge refinery fires around the country; the Federal Aviation Administration's air traffic control center in Virginia is collapsing, and that's just the beginning.

"The Chairman of the Fed just called," the Secretary of the Treasury tells you. "Their data centers and their backups have had some sort of major disaster. They have lost all their data." Power blackouts are sweeping the country. Thousands of people have already died. "There is more going on," Clarke narrates, "but the people who should be reporting to you can't get through."

This sort of scare-the-children prose has become something close to the norm, complain George Mason University Mercatus Center researchers Jerry Brito and Tate Wakins in a new working paper about what they see as the real problem—"threat inflation."

"The rhetoric of 'cyber doom'," Brito and Watkins write, "lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well."

Our past experience

The paper's title is "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." As that last paragraph suggests, these authors see a clear and present parallel between the cyberwar debate and the rhetoric of the Bush administration after September 11, 2001.

First, the paper notes, the White House implied that Iraq's then dictator Sadaam Hussein had something to do with the attacks on New York City and the Pentagon. Then the government convinced influential newspapers like The New York Times to favorably quote administration leaks suggesting that Iraq possessed weapons of mass destruction.

Both of these assertions were ultimately debunked, but the damage was done. As late as 2006, polls indicated that 40 percent of the US population still thought that Hussein was somehow in on 9/11.

As with that story, "there is very little verifiable evidence" to back up the cyber threats claimed now, "and the most vocal proponents of a threat engage in rhetoric that can only be characterized as alarmist," Brito and Watkins write. "Cyber threat inflation parallels what we saw in the run-up to the Iraq War."

Probed daily

The paper is particularly hard on the report of the Commission on Cybersecurity for the 44th Presidency. Launched by the Center for Strategic and International Studies, it came complete with a distinguished panel of academics, consultants, IT industry biggies, and former government officials. What it didn't come with, the Mercatus study contends, was much evidence for the dire situation it posited—that the protection of cyberspace "is a battle we are losing."

For example, the CSIS report warned that Department of Defense computers are "probed hundreds of thousands of times each day." But of course that's true, the paper notes. Probing and scanning are the norm in cyberspace, with software constantly trying the doors of websites and portals.

Then the blue ribbon document contended that "porous information systems have allowed opponents to map our vulnerabilities and plan their attacks."

Depriving Americans of electricity, communications, and financial services may not be enough to provide the margin of victory in a conflict, but it could damage our ability to respond and our will to resist. We should expect that exploiting vulnerabilities in cyber infrastructure will be part of any future conflict.

Where, the Mercatus researchers ask, was the evidence that America's opponents have "mapped vulnerabilities" and "planned attacks"? These sort of reports often imply that they're working from classified sources. But: "If our past experience with threat inflation teaches us anything, it is that we cannot accept the word of government officials with access to classified information as the sole source of evidence for the existence or scope of a threat."

Clarke and the present danger

Richard Clarke's doomsday scenarios are next on the Mercatus paper's takedown list. Clarke's book cites the distributed denial of service attacks on Estonian and Georgian websites in 2007 and 2008 as particularly ominous. Obviously these assaults were serious and consequential, Brito and Wakins agree. But how do we get from botnet-infested computers or networks to the blackout, fire, and infrastructure collapse scenarios that Cyber War posits?

We just don't, they insist, and they also take Clarke to task for citing the Brazil blackout of 2007 as another Exhibit A for future cyber eschatologies. The going thesis for a while was that the disaster was prompted by a criminal hacking. But subsequent probes of the crisis by the power company and its regulator concluded that dirt on high voltage insulators caused the outage.

Ditto for the Northeast power blackout of 2003, suspected of being part of a worm-based cyberattack, found to be no such thing in a subsequent investigation.

It's pretty obvious that these researchers deplore Clarke's book, especially speculations that the Russians "are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved."

This sort of prose is "eerily reminiscent of the suggestion before the invasion of Iraq that although we lacked the type of evidence of WMD that might lead us to action, we would not want 'the smoking gun to be a mushroom cloud'," Brito and Watkins write.

Cyber pork

The Mercatus authors see very little good in this rhetoric, and many bad outcomes. They see unjustified regulation of the Internet as one possibility, and as Ars readers know, Congress has considered a bill that at one point would have given the president the authority to shut the 'Net down in the event of a cyberattack.

They also see corporations ratcheting up the volume on the issue to bring in defense contracting dollars, and politicians joining the panic party to deliver federal money to their districts. But ultimately what they see is a scare mongering discourse that will make it impossible to realistically assess the cybersecurity situation.

"Let us be very clear," their essay acknowledges: "although we are skeptical of the scope of the threat as presented by the proponents of regulation, we do not doubt that cyber threats do exist, nor would we suggest that regulation can never be appropriate. What we do propose is that before we rush to regulate cyberspace we should first demand verifiable evidence of the threat and its scope and, second, we should use any such evidence to conduct a proper analysis to determine whether regulation is necessary and if it will do more good than harm."

Cyber war? As in part of a real war? Not very likely at least not with the first world as target. Whatever you do you most likely could only disrupt real physical things for a short amount of time. Western governments are not Iran, the moment nuclear controlling software would have a problem for example as a worst case scenario, a couple dozen Siemens engineers would be on site and reimage the whole IT infrastructure with a clean build. As long as 95% of all software comes out of the western hemisphere the best you could do is disrupt things for a week or so.

That would make us mad and annoy us but the only real value would be in distracting a country while you have a simultaneous "real" attack. And who should do that? A IT attack in conjunction with an invasion of western europe might have been great for the soviet union but apart from that?

Directly influencing weapon systems would also be an amazing weapon but you can hardly hack those, so it would need to be build in, which again normally gives the advantage to those building and selling the modern weapon systems. Which is the US, Europe, ... The moment my army bought a shitload of guided missiles from China I would rethink my stance.

Which leaves cyber-attacks as a form of terrorism (possible) and economical disruption (which china apparently does pretty widel, attack on Google and western source control systems anyone? ) But even here I would wager that a couple chinese interns in western companies are an even better way to get information. Hell they even get paid for that.

That would make us mad and annoy us but the only real value would be in distracting a country while you have a simultaneous "real" attack. And who should do that?

"Only" real value? That's a huge offensive advantage.

Pretending that China or Iran is waging a cyber-war would allow the CIA/Pentagon to attack that country with real weapons (or with their own unprovoked hacking against them). It's all the excuse they need.

btw - the US has so many agents in Iran that they practically own the country. Don't be surprised if Ahmadinejad is one of them.

This really leaves me wondering what the gurus at Google think. They not only have plenty of first hand experience dealing with China (perhaps our most likely threat), but they also have the best global overview of the internet in existence.

Which makes me wonder if/why we aren't hiring Google to deal with it. Aren't they the obvious first stop shop?

I suspect that there is some philosophical dissonance here. If our government / military / national security, and all the hawks that circle them, really honestly know that the threat is what they hype it to be, then you would think that it would behoove them to court companies like Google for help. But perhaps, as the article suggests, they are over inflating the case, obviously as an excuse to get hired to fight phantoms. Or perhaps the threat is what they claim, but they don't like Google's honest-geek attitude/approach, preferring instead what they can strictly control (military style stuff). Even if the honest geeks might be our best possible warriors.

I can't help but think of cyber security as a matter best crowdsourced on many levels. There is simply no way for government operations to ferret through all the details that count, find all the weaknesses, and patch them all up. Security through obscurity is a known failure, so what have we to hide? The open source movement demonstrates a vast unqualified success, and shows us that WE have tremendous power to do great things collectively. That should include keeping us secure from foreign cyber attacks, and our government should be mobilizing and empowering the public to protect ourselves. I will note that such an initiative would also be the publics best protection against being scammed by the military industrial complex on this issue.

That would make us mad and annoy us but the only real value would be in distracting a country while you have a simultaneous "real" attack. And who should do that?

"Only" real value? That's a huge offensive advantage.

Pretending that China or Iran is waging a cyber-war would allow the CIA/Pentagon to attack that country with real weapons (or with their own unprovoked hacking against them). It's all the excuse they need.

btw - the US has so many agents in Iran that they practically own the country. Don't be surprised if Ahmadinejad is one of them.

Any attacks against China will be covert and very deniable. The US does not dare upset China too badly - your economy is tied to them and they've got lots of US dollars in their banks. Actual physical attacks are all but unthinkable.

Which makes me wonder if/why we aren't hiring Google to deal with it. Aren't they the obvious first stop shop?

Son you need to get your head right. When the US needed a company to build a fence along the border with Mexico did they go get the best fence building company in the world? No they went and got Boeing. A company that doesn't know squat about building a fence. But a company that knows how to milk the system. You can bet it is companies like that that are behind the cyber propaganda as well. They know how to work the media, have the contacts with the right people that can get the money moving etc. Heck if you got Google on it they just might do it for free and what a waisted opportunity that would be.

Any attacks against China will be covert and very deniable. The US does not dare upset China too badly - your economy is tied to them and they've got lots of US dollars in their banks. Actual physical attacks are all but unthinkable.

Great point. Neither do I think they'd waste money or soldiers by defending North Korea any longer.

I only hope the US considers history as they try to force their trade and human rights standards on them. Google is the new East India Company... China is right to be wary.

I see more of an immediate issue with attacking places with large amounts of CC data, thus disrupting global economy. PSN is a mess--what would happen if several large companies were hit at the same time? Even if things were screwed up for just a week, it would be a huge cluster. It would probably hit the stock market pretty hard, if only due to speculation and the money lost to fix the mess.

The US does not dare upset China too badly - your economy is tied to them and they've got lots of US dollars in their banks. Actual physical attacks are all but unthinkable.

Why in gods name should they do it anyway? The US is a democratic country after all and invading iraq was planned for years and could have been easily stopped by a willing institution. The problem was there was none, after 2001 the whole country was so paranoid that a majority was willing to invade. Besides Iraq was a past aggressor, in clear breach of many UN sanctions hell Bill Clinton bombed the shit out of them in 1998 because precisely because they had pretty much violated every UN degree possible.

Invading China? Totally different matter.Its much more dangerous that China forces the US to use force by doing something really really stupid like reacting to some internal turmoil or perceived provocation, for example by trying to create facts taking Taiwan in a quick campaign. And suddenly one or two carrier fleets would need to decide what to do.

The money? Completely irrelevant, if you enter a war with a nuclear armed country that has ballistic missiles and nuclear weapon carrying submarines you do not care about some stupid number in a bank account of a thing you can pretty much print in as many quantities as you desire. The US government is literally in possession of a printing press. So the money that China did lend to the US is probably the single biggest insurance policy that China won't do anything to rock the boat. Which is a splendid thing for all of us.

while I certainly applaud any outbreaks of common sense, there's surely some degree of truth to the claimed existence of "cyber threats". In a word "stuxnet". Which might be US instigated, But if we could do that it would be unreasonable not to expect others to possess similar capabilities. On the other hand:

Dwight D. Eisenhower)) wrote:

In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist.

Well good thing the FBI has us covered. As the "DoJ, FBI take down botnet" story informs us, all we have to do to protect ourselves is sign a waiver and give the government access to our computers! Especially against something like "zero day" malware -- it's all about being proactive...right?

Invading China? Totally different matter.Its much more dangerous that China forces the US to use force by doing something really really stupid like reacting to some internal turmoil or perceived provocation, for example by trying to create facts taking Taiwan in a quick campaign. And suddenly one or two carrier fleets would need to decide what to do.

Physical invasion of China is impossible. No country has the manpower. Hacking China is much more likely, and is very likely going on right now. What is their government up to? What technologies are they developing? Is there a commercial benefit for the US somewhere in there?

Quote:

The money? Completely irrelevant, if you enter a war with a nuclear armed country that has ballistic missiles and nuclear weapon carrying submarines you do not care about some stupid number in a bank account of a thing you can pretty much print in as many quantities as you desire. The US government is literally in possession of a printing press. So the money that China did lend to the US is probably the single biggest insurance policy that China won't do anything to rock the boat. Which is a splendid thing for all of us.

Money is very much relevant. If China dump their US dollars onto the market, the US will see a substantial drop in their economy, likely pushing the nation into recession. That military you mentioned requires a lot of money to maintain, and that's much harder when the money buys you less on the international stage. You really don't want your dollar devalued even more.

Not that China would do that. We're all friends here, right?

It's all a bit off-topic though, and my geo-politics is a bit shaky so I'll bow out now.

Invading China? Totally different matter.Its much more dangerous that China forces the US to use force by doing something really really stupid like reacting to some internal turmoil or perceived provocation, for example by trying to create facts taking Taiwan in a quick campaign. And suddenly one or two carrier fleets would need to decide what to do.

Physical invasion of China is impossible. No country has the manpower. Hacking China is much more likely, and is very likely going on right now. What is their government up to? What technologies are they developing? Is there a commercial benefit for the US somewhere in there?

Quote:

The money? Completely irrelevant, if you enter a war with a nuclear armed country that has ballistic missiles and nuclear weapon carrying submarines you do not care about some stupid number in a bank account of a thing you can pretty much print in as many quantities as you desire. The US government is literally in possession of a printing press. So the money that China did lend to the US is probably the single biggest insurance policy that China won't do anything to rock the boat. Which is a splendid thing for all of us.

Money is very much relevant. If China dump their US dollars onto the market, the US will see a substantial drop in their economy, likely pushing the nation into recession. That military you mentioned requires a lot of money to maintain, and that's much harder when the money buys you less on the international stage. You really don't want your dollar devalued even more.

Not that China would do that. We're all friends here, right?

It's all a bit off-topic though, and my geo-politics is a bit shaky so I'll bow out now.

Hmm, my geo-politics is also wanting, but I seem to remember reading that China is the largest buyer of U.S. Treasury notes. Of course, we know this because that is where a majority of the U.S. debt is held. But I remember reading about that in the context that they were holding onto the Treasury notes by the billions. Perhaps waiting for the opportune moment to flood the world market with U.S. dollars, thereby devaluing the currency? heck, we know that China wants the dollar removed as the world's reserve currency. They've been trying to get that done since before the economic collapse. If the dollar were to suddenly lose value, the international community would have no choice but to dump it.

It's an interesting conspiracy theory if you ask me. Interesting to think about, that is. In reality, if this were to happen, my family and I would soon starve, as would most Americans. Most of us are barely scraping by paycheck to paycheck. The recent uptick in commodity and fuel prices is making a terrible impact of the bottom lines of already poor families. If this nightmare scenario were to play out, it would mean World War III. If you corner an American, he will try and kill you. It's the way we think. Heck, I'd join up if for nothing else than the three square meals and the chance to kill some of the folks who singlehandedly killed my country's economy.

Hmm, if nothing else, I think I have a new speculative short story idea. Thank you for sparking my imagination.

That would make us mad and annoy us but the only real value would be in distracting a country while you have a simultaneous "real" attack. And who should do that?

"Only" real value? That's a huge offensive advantage.

Pretending that China or Iran is waging a cyber-war would allow the CIA/Pentagon to attack that country with real weapons (or with their own unprovoked hacking against them). It's all the excuse they need.

btw - the US has so many agents in Iran that they practically own the country. Don't be surprised if Ahmadinejad is one of them.

Any attacks against China will be covert and very deniable. The US does not dare upset China too badly - your economy is tied to them and they've got lots of US dollars in their banks. Actual physical attacks are all but unthinkable.

Those that love to preach that China has the US by the balls forget that China's economy relies directly on exporting to the US.

If we can't buy those products or embargo Chinese imports and force US companies to move manufacturing elsewhere China's economy goes down quicker than the titanic.

Cyberwar is a fraud, dreamed up by a bunch of snake oil salesmen with a long history of such things. It should have been dismissed long ago.

The idea that our computer systems are fragile just dosn't hold water. They are bug prone and subject to constant operator mistakes and abuse. Just to survive without collapsing into a heap of their own accord they have to be engineered to be very resilient. Despite of all the handwaving there is a singular lack of evidence of any sort of substantial cyberwar attack. Compare that with the number of failures due to other causes.

Most of the storylines you hear by the cyber-doomsters shows a poor understanding of the technology and a constant attempt to conflate it with military operations:

"The National Security Agency has just sent a critical alert to your BlackBerry: "Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure."

Is just laughable as if malware were bomber fleets that we can scramble interceptors after. This is common, the language of mass destruction is also often used to try to make cyber attacks seem more important.

>Those that love to preach that China has the US by the balls forget that China's economy relies directly on exporting to the US.

This is nonsense 80% of Chinese exports don't go to the US.

What we are seeing in the US is a downward spiral of hysterical stupidity. Where people are refusing to adapt and instead are looking for scapegoats. Cyberwar fits right in there with that mentality. As does blaming the Chinese for our refusal to compete.

"The National Security Agency has just sent a critical alert to your BlackBerry: "Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure."

Is just laughable as if malware were bomber fleets that we can scramble interceptors after. This is common, the language of mass destruction is also often used to try to make cyber attacks seem more important.

If "zero day malware" was being used to take down critical infrastructure as an foreign attack on the country, I would imagine that knocking out the phone systems would be one of the first things they would do. Then the super important person wouldn't get his critical alert that the system was down in the first place.

I think the whole Aaron Barr/HBGary thing is a smaller example of this exact kind of thing. Those involved talked up the threat, got themselves hired and proceeded to go about their 'mission' in a reckless and illegal manner.

Does that sound like what happened with Blackwater Xe to you?

When it comes to 'cyber war' I can understand it: the current military is not necessarily equipped for it, and the people who are in charge of outsourcing are, at best, out of their depth. I can only hope that the responsibility falls to someone who knows what they are talking about and can keep a clear head, not someone who is easily taken in by salesmen.

Moonshark wants to eat my post so I'll just add a long off-topic rant and hope he turns his attention elsewhere:

Spoiler: show

The comparison I am thinking of is with an estate agent my fiancée and I met when we were looking for a place. The sign in the window had a place that looked perfect for us at a good price, so we went in to ask. We knew it was going to be bad when he started with that long intake of breath that mechanics do when they want to tell you it's going to cost more than you were hoping.

He told us that the place we were asking about had gone, and in fact none of the ones in the window were available because "the market moves so fast, you see, it's not worth us changing our displays". He then proceeded to tell us we'd be lucky to find a place like that (you know, like the one advertised in his window) and do his best to scare us about the state of the property market before trying to sell us a smaller place, with higher rent, and right out on the edge of town. Of course, he could only find one possible property we could let, so we'd have to snap it up fast (when we declined, he suddenly decided he "might have another one you'd be interested in, actually...").

So my point is that even though we both hated the guy, this was what bothered me: if my parents had been helping us look, I know they would have believed every word he said. Not because they're particularly credulous people, but because they like to plan for the worst case scenario and his speech would have pushed every single one of their buttons.

I think we have the same kind of people in charge of the military (in the US and here in the UK, possibly elsewhere too): naturally they want to plan for the worst case scenario, and if someone tells them it's worse than it is they will likely believe them. Just in case they can't afford not to.

In the UK the Government already has the legal right to shut down the net connections to the UK, very naughty I think.Also just out of interest it is illegal in the UK to encrypt any data the Government cant decrypt and read. GCHQ in the south of England can access all transmissions into the country. That's not a secret by the way it's just it's M.O.

I do wonder though how secure our traffic management systems are and our bank data and air traffic control systems are though.God I sound like a Die Hard script.

Stuxnet is an example of what's possible in "cyberwar". It's not high profile stuff and it's not going to bring the power grid down. It's going to be an annoyance here and there with highly speculative attacks that depend on employees ignoring procedures and bringing things like USB sticks in from the outside.

Taking down the internet is going to do absolutely nothing to a cyber-attack on critical infrastructure because none of it depends on the internet. An attack requires some sort of virus to have already penetrated and (probably) be running its own timetable independent of external factors.

Anything more flashy than that is just fearmongering, which is always awesome for winning elections.

Perhaps "cyberwar" is not quite exactly correct since this isn't really a declared war between US and China or Russia or Germany or wherever else the attacks originate from but the attacks are real and to my casual observation they do appear to be growing in number and severity and gaining a lot more attention from the public. Some of these attacks certainly seem to have the backing from the Chinese government but I'm pretty sure the US does the same thing to them and everybody else. The war has already begun.

If you aren't worried about cyberwar, then it's clear you don't understand what it is. The U.S. was able to bring a nuclear enrichment facility in Iran to a halt by exploiting a controller found in almost every piece of manufacturing equipment. It's not hard to imagine someone using that same exploit, but not in a surgically targeted way. Imagine waking up one day to find that nothing with a cpu in it works. The sheer panic and rioting such an event would set off would cause more widespread devastation then any single bomb attack ever could.

I would argue that stuxnet was state sponsored cyber terrorism. I'm pretty sure that there won't be anyway to link it directly to the US government who will deny it but nevertheles they are the ones who most likely funded it.

Matthew Lasar / Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz.